diff --git a/pkg/op/authrequest_test.go b/pkg/op/authrequest_test.go
index 2ea03b2..f18f642 100644
--- a/pkg/op/authrequest_test.go
+++ b/pkg/op/authrequest_test.go
@@ -160,98 +160,98 @@ func TestValidateAuthReqRedirectURI(t *testing.T) {
 		{
 			"empty fails",
 			args{"",
-				mock.NewClientWithConfig(t, []string{"https://registered.com/callback"}, op.ApplicationTypeWeb, false),
+				mock.NewClientWithConfig(t, []string{"https://registered.com/callback"}, op.ApplicationTypeWeb, nil, false),
 				oidc.ResponseTypeCode},
 			true,
 		},
 		{
 			"unregistered fails",
 			args{"https://unregistered.com/callback",
-				mock.NewClientWithConfig(t, []string{"https://registered.com/callback"}, op.ApplicationTypeWeb, false),
+				mock.NewClientWithConfig(t, []string{"https://registered.com/callback"}, op.ApplicationTypeWeb, nil, false),
 				oidc.ResponseTypeCode},
 			true,
 		},
 		{
 			"code flow registered http not confidential fails",
 			args{"http://registered.com/callback",
-				mock.NewClientWithConfig(t, []string{"http://registered.com/callback"}, op.ApplicationTypeUserAgent, false),
+				mock.NewClientWithConfig(t, []string{"http://registered.com/callback"}, op.ApplicationTypeUserAgent, nil, false),
 				oidc.ResponseTypeCode},
 			true,
 		},
 		{
 			"code flow registered http confidential ok",
 			args{"http://registered.com/callback",
-				mock.NewClientWithConfig(t, []string{"http://registered.com/callback"}, op.ApplicationTypeWeb, false),
+				mock.NewClientWithConfig(t, []string{"http://registered.com/callback"}, op.ApplicationTypeWeb, nil, false),
 				oidc.ResponseTypeCode},
 			false,
 		},
 		{
 			"code flow registered custom not native fails",
 			args{"custom://callback",
-				mock.NewClientWithConfig(t, []string{"custom://callback"}, op.ApplicationTypeUserAgent, false),
+				mock.NewClientWithConfig(t, []string{"custom://callback"}, op.ApplicationTypeUserAgent, nil, false),
 				oidc.ResponseTypeCode},
 			true,
 		},
 		{
 			"code flow registered custom native ok",
 			args{"custom://callback",
-				mock.NewClientWithConfig(t, []string{"custom://callback"}, op.ApplicationTypeNative, false),
+				mock.NewClientWithConfig(t, []string{"custom://callback"}, op.ApplicationTypeNative, nil, false),
 				oidc.ResponseTypeCode},
 			false,
 		},
 		{
 			"code flow dev mode http ok",
 			args{"http://registered.com/callback",
-				mock.NewClientWithConfig(t, []string{"http://registered.com/callback"}, op.ApplicationTypeNative, true),
+				mock.NewClientWithConfig(t, []string{"http://registered.com/callback"}, op.ApplicationTypeNative, nil, true),
 				oidc.ResponseTypeCode},
 			false,
 		},
 		{
 			"implicit flow registered ok",
 			args{"https://registered.com/callback",
-				mock.NewClientWithConfig(t, []string{"https://registered.com/callback"}, op.ApplicationTypeUserAgent, false),
+				mock.NewClientWithConfig(t, []string{"https://registered.com/callback"}, op.ApplicationTypeUserAgent, nil, false),
 				oidc.ResponseTypeIDToken},
 			false,
 		},
 		{
 			"implicit flow unregistered ok",
 			args{"https://unregistered.com/callback",
-				mock.NewClientWithConfig(t, []string{"https://registered.com/callback"}, op.ApplicationTypeUserAgent, false),
+				mock.NewClientWithConfig(t, []string{"https://registered.com/callback"}, op.ApplicationTypeUserAgent, nil, false),
 				oidc.ResponseTypeIDToken},
 			true,
 		},
 		{
 			"implicit flow registered http localhost native ok",
 			args{"http://localhost:9999/callback",
-				mock.NewClientWithConfig(t, []string{"http://localhost:9999/callback"}, op.ApplicationTypeNative, false),
+				mock.NewClientWithConfig(t, []string{"http://localhost:9999/callback"}, op.ApplicationTypeNative, nil, false),
 				oidc.ResponseTypeIDToken},
 			false,
 		},
 		{
 			"implicit flow registered http localhost user agent fails",
 			args{"http://localhost:9999/callback",
-				mock.NewClientWithConfig(t, []string{"http://localhost:9999/callback"}, op.ApplicationTypeUserAgent, false),
+				mock.NewClientWithConfig(t, []string{"http://localhost:9999/callback"}, op.ApplicationTypeUserAgent, nil, false),
 				oidc.ResponseTypeIDToken},
 			true,
 		},
 		{
 			"implicit flow http non localhost fails",
 			args{"http://registered.com/callback",
-				mock.NewClientWithConfig(t, []string{"http://registered.com/callback"}, op.ApplicationTypeNative, false),
+				mock.NewClientWithConfig(t, []string{"http://registered.com/callback"}, op.ApplicationTypeNative, nil, false),
 				oidc.ResponseTypeIDToken},
 			true,
 		},
 		{
 			"implicit flow custom fails",
 			args{"custom://callback",
-				mock.NewClientWithConfig(t, []string{"custom://callback"}, op.ApplicationTypeNative, false),
+				mock.NewClientWithConfig(t, []string{"custom://callback"}, op.ApplicationTypeNative, nil, false),
 				oidc.ResponseTypeIDToken},
 			true,
 		},
 		{
 			"implicit flow dev mode http ok",
 			args{"http://registered.com/callback",
-				mock.NewClientWithConfig(t, []string{"http://registered.com/callback"}, op.ApplicationTypeNative, true),
+				mock.NewClientWithConfig(t, []string{"http://registered.com/callback"}, op.ApplicationTypeNative, nil, true),
 				oidc.ResponseTypeIDToken},
 			false,
 		},
@@ -265,6 +265,44 @@ func TestValidateAuthReqRedirectURI(t *testing.T) {
 	}
 }
 
+func TestValidateAuthReqResponseType(t *testing.T) {
+	type args struct {
+		responseType oidc.ResponseType
+		client       op.Client
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			"empty response type",
+			args{"",
+				mock.NewClientWithConfig(t, nil, op.ApplicationTypeNative, []oidc.ResponseType{oidc.ResponseTypeCode}, true)},
+			true,
+		},
+		{
+			"response type missing in client config",
+			args{oidc.ResponseTypeIDToken,
+				mock.NewClientWithConfig(t, nil, op.ApplicationTypeNative, []oidc.ResponseType{oidc.ResponseTypeCode}, true)},
+			true,
+		},
+		{
+			"valid response type",
+			args{oidc.ResponseTypeCode,
+				mock.NewClientWithConfig(t, nil, op.ApplicationTypeNative, []oidc.ResponseType{oidc.ResponseTypeCode}, true)},
+			false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := op.ValidateAuthReqResponseType(tt.args.client, tt.args.responseType); (err != nil) != tt.wantErr {
+				t.Errorf("ValidateAuthReqScopes() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
 func TestRedirectToLogin(t *testing.T) {
 	type args struct {
 		authReqID string
diff --git a/pkg/op/mock/client.go b/pkg/op/mock/client.go
index 1e297ef..b0d0dca 100644
--- a/pkg/op/mock/client.go
+++ b/pkg/op/mock/client.go
@@ -1,6 +1,7 @@
 package mock
 
 import (
+	"github.com/caos/oidc/pkg/oidc"
 	"testing"
 
 	gomock "github.com/golang/mock/gomock"
@@ -28,11 +29,12 @@ func NewClientExpectAny(t *testing.T, appType op.ApplicationType) op.Client {
 	return c
 }
 
-func NewClientWithConfig(t *testing.T, uri []string, appType op.ApplicationType, devMode bool) op.Client {
+func NewClientWithConfig(t *testing.T, uri []string, appType op.ApplicationType, responseTypes []oidc.ResponseType, devMode bool) op.Client {
 	c := NewClient(t)
 	m := c.(*MockClient)
 	m.EXPECT().RedirectURIs().AnyTimes().Return(uri)
 	m.EXPECT().ApplicationType().AnyTimes().Return(appType)
+	m.EXPECT().ResponseTypes().AnyTimes().Return(responseTypes)
 	m.EXPECT().DevMode().AnyTimes().Return(devMode)
 	return c
 }